it s ecurity o perations from art to science ian lawden
Post on 19-Dec-2015
226 views
TRANSCRIPT
CONTEXT Threats Increasing (and more complex):
Cyber crime, Politically Motivated DoS New ‘Opportunities’ for breach
Off Shore services, Cloud Computing, Web2.0 IT Security Operations Managers having to make decisions that minimise
impact on business: Minimise Downtime, Avoid Restrictions, Reduce Costs
Pressure on funding: Need to justify investment
Repercussions are serious: Loss of system Loss of funds Loss of reputation
Loss of face - if the professionals get it wrong?4
POTENTIAL FOR CONTENTION?
ITIL Service Management Processes
Service Support Service Delivery
IncidentManagement
ProblemManagement
ChangeManagement
ReleaseManagement
ConfigurationManagement
Service LevelManagement
FinancialManagement
CapacityManagement
IT ContinuityManagement
AvailabilityManagement
5
Incident ManagementUser up and running quickly
versus preservation of Forensic Evidence
Change Management
Formal control versus Emergency (and risky)
response
Capacity ManagementSupport Business Objective versus ‘security seen as an
overhead
Availability Management
Customer satisfaction equates to ‘up time’ versus
security requires maintenance windows
DefenceDefenceDefenceDefence
UsersUnder Attack
Electronic
Attack
Electronic Attack
THREATS
7
DefenceDefence
Internal Threat
DEFENCE IN DEPTH DefenceDefenceDefenceDefenceDefenceDefence
Organisation
Defence
SupplierPerformance
Operational Decision Making
CapabilityEffective risk Management
User Awareness
Training & Certification
Internal Awareness Training
Supplier Management
Stakeholder Engagement
Review, Analysis, Modelling
PILLARS OF VULNERABILITY
8
Slower, more conscious, effortful, and logical.
Instinctively understood,Controllable,Follows rules,
Requires evidence!
SYSTEM THINKING
12
Intuitive, quick, automatic, effortless, and influenced
by emotion,
Reliance increases when a situation is complex and a state of cognitive
overload is reached,
Decisive!
1 2
THE ANALYTICAL MODEL Problem Definition
Agree problem to be modelled
Model Construction Data gathering, and interviews with key stakeholders
Collect the information needed to build a model of enterprise security environment
Model Exploration “Execute” the model
Take measurements such as the time taken to patch or have other mitigations in place Run thousands of simulations
Different parameters Possible outcomes predicted through rigorous “what-if” analysis
Decision-making Understanding of the conclusions and consequences = improved decision making
14
Preparing and Responding
15
Operational Decision Making Defence in Depth
Desktop EstateAntivirus plus Buffer
Overflow
Network GatewayRestriction of
Administrative Privileges
Emails to
employees
(Awareness)
Temporary workarounds
Effective for 32% of vulnerability
cases
E,G, shutting down part of the
network
Protects the full client population
Up to 20 days to be received and
read
80% of OS or privilege
escalation exploits require admin
rights
Timeline
VULNERABILITY TIMELINE
Disclosure
Public exploit Code
Discovery
Zero day exploit
Malware
Patch Deployed
Not MeasurableOnly some groups aware – no public
data yet
SomePublicdata
Much Publicdata
Window of Exposure
Patching Process
16
Signature Available
Patch Available
RISK EXPOSURE – TRADITIONAL
17
0 20 40 60 80 100 120 140 160 180 More0
50
100
150
200
250
300
350
admin privs
network gateway
AV
Risk window in days
Vu
lner
abil
itie
s p
er y
ear
Exposure
RISK EXPOSURE – GATEWAY PROTECTION
18
Exposure (Internal)
0 20 40 60 80 100 120 140 160 180 More0
50
100
150
200
250
300
350
admin privs
network gateway
AV
email staff
Risk window in days
Vu
lner
abil
itie
s p
er y
ear
RISK EXPOSURE – ADMIN PRIVILEGES MINIMISED
19
0 20 40 60 80 100 120 140 160 180 More0
50
100
150
200
250
300
350
admin privs
network gateway
AV
email staff
patching
Risk window in days
Vu
lner
abil
itie
s p
er y
ear
Defence in Depth
DEFENCE IN DEPTH CONCLUSIONS A multi-layer approach can be effective to reduce risk
exposure A defence-in-depth position is less strong
If a vulnerability is not dealt with by network gateway security, it is likely a large proportion of the infrastructure will be vulnerable if malware appears
The threat environment should be regularly monitored For changes in malware and infection rates, and for new
spread vectors for example Timely patching remains important
To ensure the population of workstations no longer contains the vulnerability
20
CANDIDATES FOR EVALUATION Server Patching:
Exploring the trade-off between disruption created when applying fixes to servers, versus bundling patches to reduce disruption but in turn, increasing risk
Identity and Access Management Provisioning and De-provisioning
Web Access: Website blocking effectiveness Infection risk likelihood (based on employees' browsing habits). Fine-grained analytics:
Infection risk based on employees' age + preferences Website likelihood infection according to popularity/age Amount of time employees' spent on web
21
KEY MESSAGES A more scientific and analytical approach to risk mitigation
and defence posture is possible &: - Allows greater understanding of the effectiveness of an
organisation’s defences Supports IT Security Operations Managers in focusing on
key areas for attention The time is right to:
Evidence day to day decisions with historical data Influence future strategies and policies using more
structured techniques Carefully consider and challenge rationale for simply
deploying solutions that ‘make us feel better’23
Further Reading & Research
Anna Squicciarini, Sathya Dev Rajasekaran, Marco Casassa Mont - Using Modeling and Simulation to Evaluate Enterprises' Risk Exposures to Social Networks, IEEE Computer Magazine, Volume 44, Number 1, pp. 66-73, January 2011, 2011
Marco Casassa Mont, Yolanta Beres, David Pym, Simon Shiu - Economics of Identity and Access Management: Providing Decision Support for Investments, 5th IFIP/IEEE Workshop on Business-driven IT Management - BDIM 2010, 19 April 2010, Osaka, Japan, 2010
Yolanta Beres, Marco Casassa Mont, Jonathan Griffin, Simon Shiu - Using Security Metrics Coupled with Predictive Modelling and Simulation to Assess Security processes, IEEE International Workshop on Security Measurements and Metrics, IEEE MetriSec 2009, 14 October, Lake Buena Vista, Florida, US
Adrian Baldwin, Marco Casassa Mont, Simon Shiu - Using Modelling and Simulation for Policy Decision Support in Identity Management, IEEE 10th Symposium on Policies for Distributed Systems and Networks, IEEE Policy 2009 Symposium, 20-22 July, London, 2009
Yolanta Beres, Jonathan Griffin, Max Heitman, David Markle, Peter Ventura, “Analysing the Performance of Security Solutions to Reduce Vulnerability Exposure Windows”, Proc. of 2008 ACSAC, Dec 2008.
Yolanta Beres, David Pym, Simon Shiu, “Decision Support For Systems Security Investment”, 5th IFIP/IEEE Workshop on Business-driven IT Management - BDIM 2010, 19 April 2010, Osaka, Japan, 2010
24